The Laws of Mathematics and the Laws of Nations: The Encryption Debate Revisited

Australia is weighing in on the encryption debate regarding exceptional access by law enforcement. As George Brandis, the Australian Attorney-General, described last month, the Prime Minister’s office advocates requiring “internet companies and device makers [to follow] essentially the same obligations that apply under the existing law to enable provision of assistance to law enforcement and to the intelligence agencies, where it is necessary to deal with issues: with terrorism, with serious organized crime, with paedophile networks and so on.” He further asserted that the chief cryptographer at GCHQ, the Government Communication Headquarters in the United Kingdom had assured him that this was feasible.

The Prime Minister of Australia, Malcolm Turnbull, subsequently entered into an interesting interchange with a reporter. When asked by Mark DiStefano, a reporter from ZDNET, “Won’t the laws of mathematics trump the laws of Australia? And then aren’t you also forcing people onto decentralized systems as a result?” The Prime Minister of Australia said “the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

This interchange provides a good opportunity to explore where the laws of mathematics and the laws of nations hold sway. DiStefano’s comment about the “laws of mathematics” is a reference to the conclusion offered by many technically informed parties that including a capability for exceptional access into any encryption scheme invariably reduces the security afforded by that scheme.

But this conclusion is not what the Attorney-General was referring to; he spoke only of an obligation of vendors to provide assistance to law enforcement and intelligence agencies (presumably to provide clear text when required by law). It is certainly possible to develop a system that enables vendors to meet this requirement, and a system with this capability must be that which the chief cryptographer at GCHQ asserts is feasible. This system will not be as secure as it would be without this requirement, though it will enable certain law enforcement and intelligence activities to take place that would not otherwise be possible.

So once again, we see that participants in this debate are not arguing about the same thing. The anti-exceptional access community is talking about the impossibility of developing a system with exceptional access capability that affords the same security as one without such a capability. The pro-exceptional access community is talking about the feasibility of a system with exceptional access capabilities that provides the best security possible given that requirement. And both communities are correct.

Whether the tradeoff is worthwhile—lesser security for all in exchange for better ability to pursue certain law enforcement and intelligence activities—is clearly a policy and legal decision for the Australian government. Of course, to have a reasonable debate about this question, the Australian government would have to acknowledge the first part of this tradeoff—lesser security for all—and whether or not it is willing to do so is not yet clear.

Turnbull’s statement is absurd on its face. A more astute response would have been to acknowledge that human laws must be consistent with the laws of mathematics but then to say that the laws of mathematics do not prevent compliance with a requirement such as the one proposed by the Attorney-General. But the Prime Minister would also have had to acknowledge the above-mentioned trade-off explicitly—and maybe such an acknowledgment would have been politically inconvenient.

As I have written before, these comments also apply precisely to the corresponding debate in the United States. To make progress on either side of the Pacific Ocean, it would help if both sides were talking about the same thing.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Research Fellow at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.